Twitter gives up on encrypting direct messages, at least for now


(Kevin Krejci / Flickr)

Twitter has shelved a project that would have made it more difficult for the government to intercept users’ private messages without a court order, sources tell The Verge, a sudden reversal for a company that has been ahead of the curve on privacy at a time of creeping surveillance.

Most of Twitter’s content is public, but there are a few channels that users consider private: personal information, protected accounts, and direct messages, which function like a limited email system.

In November, news leaked that Twitter had started work on encrypting direct messages in order to prevent unauthorized snooping by hackers or the state. But the project was dropped earlier this year without explanation, to the confusion of employees who were working on it and those in the internet security community who were aware of it.

The project was dropped without explanation

Twitter declined to comment on why its latest encryption effort has stalled, but all signs point to its overloaded to-do list rather than an abandonment of its values. Twitter has been rethinking its messaging mechanism, evidenced by major changes just before its IPO last year, so it may be that there is just too much in flux to invest in encryption right now. Whatever the reason, direct-message encryption has dropped off the priority list indefinitely — and a source confirmed it will not be implemented this quarter or next.

The seven-year-old social network has established a reputation for fighting government data requests. The most notable example was its refusal to cooperate with PRISM, the controversial National Security Agency program that made it easy for the government to electronically pick up data ordered under court-approved requests. ("Twitter declined to make it easier for the government," is how the NYT phrased it.) Twitter has also repeatedly challenged government subpoenas and gag orders, empowered by principles espoused by its founders and the leadership of its strong-willed advisor and former head lawyer, Alex Macgillivray, who one source says "doesn’t give a shit" about the government’s demands or intimidation tactics.

In addition to the PRISM program, which required cooperation, the NSA was collecting data without tech companies being aware of it. For example, one secret program swept up email address books and instant message contacts from users of Yahoo, Gmail, and other services by cutting deals with foreign network providers. Another program clandestinely intercepted information from Google and Yahoo data center traffic. If that traffic had been encrypted, it would have made it very difficult if not impossible for the NSA to decode what it harvested.

Encryption is seen as increasingly crucial in the fallout from the NSA revelations

Tensions between the government and American internet companies flared over new details on NSA surveillance programs last fall. These companies say they are losing the trust of users outside the US, who were subject to greater levels of spying, as well as those inside the US due to gag orders attached to data requests. As a result, encryption is considered increasingly crucial for companies to win back users’ confidence. Many companies, including Microsoft, Google, and Yahoo, have announced plans to encrypt their traffic internally within their data centers and externally across the web. "The solution to government surveillance is to encrypt everything," Google's chairman, Eric Schmidt, said during a speech in Washington, DC.

Despite dropping encryption for DMs, Twitter has been shoring up user security in other areas. The company added perfect forward secrecy, which means that a third party that gains access to private keys cannot use them to decrypt information from the past. It also recently encrypted its emails to users and has a perfect rating in the 2013 Electronic Frontier Foundation’s "Who Has Your Back?" security report, a perfect rating in the EFF's "Encrypt the Web" report, and the highest score in the Online Trust Alliance’s ranking of websites on privacy, security, and consumer protection.

Twitter's populism is one of its core values

Other Silicon Valley giants are upping their encryption game, however, and startups like Wickr are raising the bar for secure messaging. Privacy advocates believe direct message encryption is important if Twitter is to maintain its sterling reputation. "Encryption of communications is vital," Kurt Opsahl, senior staff attorney at the EFF, says of Twitter’s decision to stop encrypting DMs. "We know... that there is an active attempt to get unencrypted communications through internet companies’ internal traffic." Chris Soghoian, a senior policy analyst for the American Civil Liberties Union, says Twitter should go a step further and prevent direct messages from being readable even with a court order. "Direct messages are probably the most private category of user information held by Twitter, and the company should be encrypting DMs end-to-end," he says.

The trove of documents collected by former NSA contractor Edward Snowden is still producing new revelations about the national surveillance program, meaning the topic is unlikely to go away soon. Twitter’s populism — firmly established when it became popular with Arab Spring protestors — has historically been one of its core values. Encrypting private messages would reassure users that Twitter is on their side. Unfortunately, the company isn’t ready to make that promise yet.

The Verge
Log In Sign Up

Log In Sign Up

Please choose a new Verge username and password

As part of the new Verge launch, prior users will need to choose a permanent username, along with a new password.

Your username will be used to login to Verge going forward.

I already have a Vox Media account!

Verify Vox Media account

Please login to your Vox Media account. This account will be linked to your previously existing Eater account.

Please choose a new Verge username and password

As part of the new Verge launch, prior MT authors will need to choose a new username and password.

Your username will be used to login to Verge going forward.

Forgot password?

We'll email you a reset link.

If you signed up using a 3rd party account like Facebook or Twitter, please login with it instead.

Forgot password?

Try another email?

Almost done,

By becoming a registered user, you are also agreeing to our Terms and confirming that you have read our Privacy Policy.



Choose an available username to complete sign up.

In order to provide our users with a better overall experience, we ask for more information from Facebook when using it to login so that we can learn more about our audience and provide you with the best possible experience. We do not store specific user data and the sharing of it is not required to login with Facebook.